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O 

o 

Abstract 

Fuzzy sketches, introduced as a link between biometry and cryptography, are a way 
of handling biometric data matching as an error correction issue. We focus here on 
iris biometrics and look for the best error-correcting code in that respect. We show that 
two-dimensional iterative min-sum decoding leads to results near the theoretical limits. In 
particular, we experiment our techniques on the Iris Challenge Evaluation (ICE) database 

■ and validate our findings. 
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1 Introduction 

■ Fuzzy Sketches have been introduced to handle differences occurring between two captures 
of biometric data, viewed as errors over a codeword. Many papers give applications of this 

^ I technique for cryptographic purposes [H El [21 [6l [17] but only a few investigate what 

are the best codes for this decoding problem, e.g. [8], and how to find them. This issue is 

■ addressed here. 

o 

O , 1.1 Biometric matching and errors correction 

Typically, a biometric-based recognition scheme consists of two phases: The enrollment phase 
^ . where a biometric template b is measured from a user U and then registered in a token or a 

database. The second phase - the verification - captures a new biometric sample b' from U 
and compares it to the reference data via a matching function. According to some underlying 
measure /i and some recognition threshold r, b' will be accepted as a biometric measure of U 
if fi(b, b') < t, else rejected. Mainly two kinds of errors are associated to this scheme: False 
Reject (FR), when a matching user, i.e. a legitimate user, is rejected; False Acceptance (FA), 
when a non-matching one, e.g. an impostor, is accepted. 

Note that, when the threshold increases, the FR's rate (FRR) decreases while the FA's 
rate (FAR) grows, and conversely. 

Our methods will resort to information theory and coding. For more background, notation 
and classical results, the reader is refered to [4] and [TT] in these two fields respectively. 

Assuming that the templates live in the Hamming space H = {0, l} n equipped with the 
Hamming distance d^, the main idea of fuzzy sketches, as introduced in [9], is to convert the 
matching step into an error-correcting one. Let C be an error-correcting code included in TL: 
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• During the enrollment phase, one stores z = c © b, where c is a random codeword in C, 

• During the verification phase, one tries to correct the corrupted codeword z © b' = 
c © (b © b'). Note that when the Hamming distance d-n(b, b') is small, recovering c from 
c © (b © b') is, in principle, possible. 

The correction capacity of C may thus be equal to r if we do not want to alter the FRR and 
the FAR of the system. Unfortunately, the difference between two measures of one biometric 
source can be very important, whereas the correction capacity of a code is structurally con- 
strained. Moreover, the size of the code should not be too small, to prevent z from revealing 
too much information about the template b. 

1.2 Organization of this work 

In a first part, we look for theoretical limits. We first modelize our problem with a binary 
erasure-and-error channel. Given a database of biometric data, we then give a method for 
finding an upper bound on the underlying error correction capacity. 

In a second part, restricting ourselves to iris biometric data and illustrating our method 
with iterative min-sum decoding of product codes, we provide parameters that put our per- 
formances close to the theoretical limit. 

2 Model 

We consider two separate channels with a noise model based on the differences between any 
two biometric templates. 

• The first channel, called the matching channel, is generated by errors b © b' where b 
and b' come from the same user U. 

• The second channel, the non-matching channel, is generated by errors where b and 
b' come from different biometric sources. 

In a practical biometric system, the number of errors in the matching channel is on average 
lower than in the non- matching channel. 

Moreover, the templates are not restricted to a constant length. Indeed, when a sensor 
captures biometric data, we want to keep the maximum quantity of information but it is 
rarely possible to capture the same amount of data twice - for instance an iris may be 
occulted by eyelids - hence the templates are of variable length. This variability can be 
smoothed by forming a list of erasures, i.e. the list of coordinates where they occur. More 
precisely, in coding theory, an erasure in the received message is an unknown symbol at a 
known location. We thus have an erasure-and-error decoding problem on the matching 
channel. Simultaneously, to keep the FAR low, we want a decoding success to be unlikely 
on the non-matching channel : to this end we impose bounds on the correction capacity. 

In the sequel, we deal with binary templates with at most N bits and assume, for the 
theoretical analysis that follows, that the probabilities of error and erasure on each bit are 
independent. Note that resorting to interleaving makes this hypothesis valid for all practical 
purposes. 



2.1 Theoretical limit 



Our goal is to estimate the capacity, in the Shannon sense |15j . of the matching channel when 
we work with a code of a given dimension. Namely, we want to know the maximum number of 
errors and erasures between two biometric measures that we can manage with fuzzy sketches 
for this code. 

Starting with a representative range of matching biometric data, the theorem below gives 
an easy way to estimate the lowest achievable FRR. The idea is to check whether the best 
possible code with the best generic decoding algorithm, i.e. a maximum-likelihood (ML) 
decoding algorithm (which systematically outputs the most likely codeword), would succeed 
in correcting the errors. 

Theorem 1 Let k £ N* , C be a binary code of length N and size 2 k , and m a random 
received message, from a random codeword of C , of length N with w n errors and w e erasures. 
Assume that C is an optimal code with respect to N and k, equipped with an ML decoder. 

If jy^j > then m is only decodable with a negligible probability, where 9 is such that 
the Hamming sphere of radius (N — w e )6 in F^ - """ 5 contains 2 N ~ We ~ k elements. 

Proof. In the case of errors only (i.e. no erasures) with error-rate p := w e /N , the canonical 
second theorem of Shannon asserts that there are families of codes with (transmission) rate 
R := k/n coming arbitrarily close to the channel capacity n(p), decodable with ML-decoding 
and a vanishing (in N) word error probability P e . 

In this case, n(p) = 1 — h(p), where h(p) is the (binary) entropy function (log's are to the 
base 2): 

h(x) = —x log x — (1 — x) log(l — x). 

Furthermore, P e displays a threshold phenomenon: for any rate arbitrarily close to, but 
above capacity and any family of codes, P e tends to 1 when ./V grows. 
Equivalently, given R, there exists an error-rate threshold of 

P = h- 1 (l-R), 

h^ 1 being the inverse of the entropy function. 

Back to the errors-and-erasures setting now. Our problem is to decode to the codeword 
nearest to the received word on the nonerased positions. 

Thus we are now faced with a punctured code with length N — w e , size 2 k , transmission 
rate R' := k/(N — w e ) and required to sustain an error-rate p' := j^J 1 ■ 

By the previous discussion, if 

p' >9:=h~ 1 (l-R'), 

NO code and NO decoding procedure exist with a non-vanishing probability of success. 

To conclude the proof, use the classical Stirling approximation for the size of a Hamming 
sphere of radius aM in Ff by 2 h( > aM \ I 

Practical implications of this theorem are illustrated in Table [H Sec. 13.31 



3 Application 



3.1 Description of the two-dimensional iterative min-sum decoding algo- 
rithm 

A binary linear error-correcting code C is a vector subspace of F 2 . The minimum distance 
dmin °f C is the smallest Hamming distance between two distinct codewords. When k is 
the dimension of the subspace C, i.e. when it contains 2 k codewords, C is denoted by 
[N, k, d m i n ]2- The correction capacity t of C is the radius of the largest Hamming ball for 
which, for any x E W% , there is at most one codeword in the ball of radius t centered on x. 
Clearly, t = l(d m i n — l)/2j. An altered codeword with w n errors and w e erasures can always 
be corrected (by ML decoding) provided 2w n + w e < d m i n . However, if the code admits an 
iterative decoding algorithm, practical results overtake this limitation. 

We will work with product codes together with a specific iterative decoding algorithm 
described below. A product code C = C\ <g> C2 is constructed from two codes: C\[N\, k±, d\\2 
and C f 2[A r 2, A; 2 , ^2] 2- The codewords of C can be viewed as matrices of size N2 X N\ whose rows 
are codewords of C\ and columns are codewords of C2 ■ This yields a [N\ x N2 , k\ x k2 , d\ x d 2 ] 
code. When k% and £; 2 are small enough for C\ and C2 to be decoded exhaustively a very 
efficient iterative decoding algorithm is available, namely the min-sum decoding algorithm. 
Min-sum decoding of LDPC codes was developed by Wiberg [18] as a particular instance of 
message passing algorithms. In a somewhat different setting it was also proposed by Tanner 
|16] for decoding generalized LDPC (Tanner) codes. The variant we will be using is close 
to Tanner's algorithm and is adapted to product codes. Min-sum is usually considered to 
perform slightly worse than the more classical sum-product message passing algorithm on 
the Gaussian, or binary-symmetric channels, but it is specially adapted to our case where 
knowledge of the channel is poor, and the emphasis is simply to use the Hamming distance 
as the appropriate basic cost function. 

Let (xij) be a vector of {0, l}^ 1 x7Va . The min-sum algorithm associates to every coordinate 
x^ a cost function for every iteration of the algorithm. The cost functions are defined on 
the set {0, 1}. The initial cost function is defined by k®a(x) = if the received symbol on 
coordinate (ij) is x and k^-{x) = 1 if the received symbol is 1 — x. 

A row iteration of the algorithm takes an input cost function k™ and produces an output 
cost function . The algorithm first computes, for every row i and for every codeword 
c = (ci . . . c/Vi) of Ci, the sum 

«i(c) XM/ (r ' ! 

which should be understood as the cost of putting codeword c on row i. The algorithm then 
computes, for every i,j, k°^ 1 defined as the following min, over the set of codewords of C\, 

= min K i(c)- 

cGC\,Cj=x 

This last quantity should be thought of as the minimum cost of putting the symbol x on 
coordinate (ij) while satisfying the row constraint. 

A column iteration of the algorithm is analogous to a row iteration, with simply the roles 



of the row and column indexes reversed, and code C% replacing code C\. Precisely we have 

i=i 

and 

= min Kj {c). 

The algorithm alternates row and column iterations as illustrated by Fig. [TJ After a given 
number of iterations (or before, if we find a codeword) it stops, and the value of every symbol 
Xij is put at Xij = x if < — x). If k™ 1 {x) = — x) then the value of 

stays undecided (or erased). 

The following theorem is fairly straightforward to prove and illustrates the power of min- 
sum decoding. 

Theorem 2 // the number of errors is less than d\d2j1, then two iterations of min- sum 
decoding of the product code C\ <g> C 2 recover the correct codeword. 

3.2 Our setting 

To validate our approach, we now present the results of experiments on a practical iris 
database where we obtain correction performances close to the theoretical limit. 

The database used for these experiments is the ICE (Phase I) database |10| [13] which 
contained 2953 images from 244 different eyes. A 256-byte (2048 bits) iris template, together 
with a 256-byte mask, is computed from each iris image using the algorithm reported in [5]; 
the mask filters out the unreliable bits, i.e. stores the erasures indices of the iris template. The 
database is taken without any modification but two slight corrections: one eye is suppressed 
due to a very low quality and the side of another eye has been switched from left to right. 
Hence we keep 2952 images. Note that in the database, the number of images provided for 
each eye is variable: so the number of intra-eye matching verifications between two iris codes 
from the same eye is not constant. The same holds for the inter-eye matching between two 
iris codes from different eyes. Among all the combinations, its gives a set of 29827 intra-eye 
matching and about 4 million of inter-eye matching to check. 

The classical way to compare two iris codes 1\ , I 2 with masks M\ , M2 is to compute the 
relative Hamming distance 

[|(/ie/ 2 )nM 1 nM 2 || 
\\Mi nM 2 || 

for some rotations of the second template - to deal with the iris orientation's variation - and 
to keep the lowest score. It gives the following distributions of matching scores (cf. Fig [2]) 
where we see an overlap between the two curves. We also see that the number of errors to 
handle in the matching channel is large (for instance at least 29% of errors for a FRR lower 
than 5%). On this channel, an additional difficulty originates from the number of erasures 
which varies from 512 to 1977. 

3.3 Results on ICE database 

We have experimented with the algorithm described in section 13.11 on this database with a 
particular choice for the code. In fact, the product code is constructed to fit with an array of 
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Figure 1: A row iteration followed by a column one 
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Figure 2: Inter-eyes and intra-eye distributions 

2048 bits, by using Reed-Muller codes |12[ll4j of order 1 which are known to have good weight 
distributions. A binary Reed-Muller code of order 1 in m variables, abbreviated as RM(1, m), 
is a [2 m ,m + l,2 m ~ 1 ] 2 code. We chose to combine the RM(1,6) with the RM(1, 5), leading 
to a product code of dimension 42 and codewords of length 64 x 32. 

As the density of errors and erasures in an iris code can be very high in some regions, we 
also added a randomly chosen interleaver to break this structure and increase the efficiency 
of the decoding algorithm. In so doing, we succeeded in obtaining a FRR of about 5.62% 
for a very small FAR (lower than 10 -5 ). This is in fact very close to the FAR obtained in a 
classical matching configuration for a similar FRR. 

The overall size of the code could appear small from a cryptographic point of view, but 
following the theoretical analysis of section 12.11 it is difficult to expect much more while 
achieving a low FRR on this database. Indeed, from the distribution of errors and erasures 
on the matching channel, we obtain by Theorem [1] the practical limits which are reported 
in Table [U 



Table 1: Theoretical limits on ICE database 



Code's dimension 


Best theoretical FRR 


42 


2.49% 


64 


3.76% 


80 


4.87% 


128 


9.10% 



Remark. In [8], the fuzzy sketch scheme is applied with a concatenated error-correcting 
code combining a Hadamard code and a Reed-Solomon code. More precisely, the authors 
use a Reed-Solomon code of length 32 over F 2 7 (with a correction capacity tns < 16) and a 
Hadamard code of order 6 and length 64 (with a correction capacity tn = 15): a codeword of 
2048 bits is in fact constructed as a set of 32 blocks of 64 bits where each block is a codeword 
of the underlying Hadamard code. As explained in [8], the Hadamard code is introduced to 
deal with the background errors and the Reed-Solomon code to deal with the bursts (e.g. 
caused by eyelashes, reflections, . . .). 

Note that in this scheme, the model is not exactly the same as ours, as the masks are not 
taken into account. Moreover, the quality of the database used in [8] is better than for the 
ICE database. Actually, [8] reports very good results on their experiments with a database 



of 700 images, but the codes do not seem appropriate to our case as our experiment on the 
ICE database gave a too large rate of FR (e.g. 10% of FR with 0.80% of FA), even for the 
smallest possible dimension of the Reed-Solomon code when tus = 15. 

4 Conclusion 

We derived explicit upper bounds on the correction capacity of Fuzzy Sketches on iris-based 
biometrics. We then showed how the two-dimensional iterative min-sum decoding algorithm 
achieves correction performance close to the optimal decoding rate. Our results were validated 
on a typical iris database. 
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